Ransomware remains a top concern for organizations across industries. Modern attackers are utilizing easily accessible and increasingly affordable ransomware kits and creating fileless attacks. Additionally, ransomware programs are becoming more sophisticated and harder to dismantle once deployed.

What is Ransomware?

Ransomware is a form of malware that encrypts files, denying access to the user. Attackers then demand a ransom for unlocking their own data. 

Ransomware can range from a simple one-machine lockout to advanced attacks that target entire networks, certain applications, and shared files. 

What are the costs? 

The average ransomware attack cost $5,900 per incident in 2019, up from $4,300 in 2018, according to SafetyDetectives. The average cost of ransomware-caused downtime rose from $46,800 in 2018 to $141,000 in 2019, according to the same source. 

How SentinelOne handles Ransomware 

SentinelOne protects endpoints through its Singularity platform, defending against malware executables, fileless attacks, document exploits, browser exploits, live/insider scripts and credentials. 

Their endpoint protection platform (EPP) goes beyond detecting known ransomware by utilizing a predictive execution inspection engine. It observes the execution of each system process or thread in real-time. By understanding the execution behavior of applications, programs and processes in real-time the SentinelOne EPP can provide unparalleled protection against ransomware. 

Ransomware Protection Features 

Roll-back 

Ransomware typically relies on encrypting system and data files. Many of the more sophisticated variants go even further by eliminating the ability to recover data from “shadow copies” created by operating systems. SentinelOne saves and protects shadow copies of data files, allowing teams to recover from a ransomware infection. 

Real-Time Behavioral Detection 

SentinelOne’s platform focuses on real-time detection and remediation. Their software is able to provide broad visibility to endpoints and their processes and add context around processes. Their software can then predict advanced or hidden ransomware attacks based on execution behavior. 

Kernel-Space Operation 

The SentinelOne agent operates in the kernel-space, allowing for a smaller footprint compared to other endpoint platforms. Additionally, the software is highly tamper-resistant to ransomware attempts that attempt to evade or disable the agent. 

Predictive Execution Inspection 

Unlike static filters, SentinelOne’s inspection engine allows and monitors limited execution of all suspicious software, including memory-based and script-based ransomware to understand its behavior. The platform can find sophisticated ransomware that does not have disk or file activity or that does not have any indicators of compromise. 

Automatic Response and Mitigation 

The Singularity platform allows for automatic response and mitigation of ransomware in real-time. The product’s expansive actions allow security teams to act quickly and efficiently. 

Broad Platform Support 

While most ransomware targets Windows-based endpoints, other operating systems like Mac OS X and mobile operating systems are also at risk. SentinelOne supports Mac OS X as well as iOS and Andriod devices. Their platform also supports virtual environments like Linux. 

SentinelOne’s Ransomware Warranty Policy 

SentinelOne offers a competitive warranty to customers. It announced its warranty back in 2016 and has been offering generous warranty conditions since. According to its current (June 3, 2020) warranty terms: 

The scope of the warranty states (subject to some requirements) that if a successful ransomware attack occurs on company endpoints then SentinelOne will pay sole and exclusive remedy to the company damages equal to the ransom demanded. This payment would be capped at $1,000 per endpoint affected by a breach and further capped at $1,000,000 for every consecutive 12 months in which the company subscribes to solutions. 

Contingent requirements include: 

• Active and proper configuration 
• Only files that are on protected endpoints 
• Solutions: 
• Policy mode is set to Threats: Protect and Suspicious: Protect 
• All Engines are ON 
• Cloud Connectivity is not disabled 
• Anti Tamper is ON 
• Snapshots are ON 
• Scan New Agents is ON 
• The latest GA version is deployed before ransomware infection 
• No Pending Actions (like Reboot) listed on any covered endpoint 
• Supported version of Management Console is deployed 
• Exclusions specified in the SentinelOne Knowledge Base “Not Recommended Exclusions” article, are not deployed in the Management Console or Agent 
• Operating System: 
• Warranty applies to Standard Windows Agents 
• Each endpoint is malware-free prior to SenintelOne Windows Agent installation 
• OS is fully updated and patched on each covered endpoint 
• VSS (Volume Shadow Copy Service) is enabled and functioning on all Windows endpoints. VSS Disk Space Usage allocation must be configured with at least 10% on all disks. 
• All endpoints of the customer must: 
• Immediately add specific ransomware added to blacklist 
• In case ransomware was not blocked (only detected) – take remediation and rollback action within 1 hour of infection/discovery of ransomeware 
• Notify SentinelOne of the ransomware discovery within 24 hours 

For the full text of their ransomware warranty, click here. 

The warranty does not cover any other damages such as stolen intellectual property or impact to brand/reputation. 

The Datashield Difference 

SentinelOne is just the first line of defense when protecting your organization’s endpoints. Datashield has helped our clients create leading cloud-native security architecture, perform advanced tool tuning, and deploy custom runbooks to help SentinelOne’s software run even better. 

Powerful tools only work as well as the people wielding them. Datashield has a direct partnership with SentinelOne, unparalleled deployment process, and integration with our leading orchestration and automation tool SHIELDVision. 

If your organization is considering implementing SentinelOne, make sure you partner with the best in managed security service providers. Datashield has been a part of the industry for over a decade and is still on the forefront of cybersecurity solutions. 

Contact us today